
平台论坛博客文库

› 论坛 › 操作系统 › BSD › OpenBSD PF 单个IP限速

[OpenBSD] OpenBSD PF 单个IP限速 [复制链接]

rainren

家境小康

论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2006-05-11 20:23 |只看该作者 |倒序浏览

做了一些网关, 一直是iptables + tc才能对网内每一个IP 限速! 用pf来做有点困难. 参考网上找到的许多规则, 实验了一些, 成了下面的规则, 各位可试验, 贴些自己的pf规则技巧, 让我也受益一些!

ext_if="pppoe0"
int_if="fxp1"
set state-policy if-bound
set block-policy return
set optimization aggressive
scrub in all
altq on $ext_if hfsc bandwidth 512Kb queue { u1, u2, u3, u4, u5, u6, u7, u8, u9, u10, u11, u12, u13, u14, u15, u16, u17, u18, u19, u20, u21, u22, u23, u24, u25, u26, u27, u28, u29, u30, uother }
queue u1 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u2 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u3 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u4 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u5 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u6 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u7 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u8 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u9 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u10 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u11 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u12 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u13 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u14 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u15 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u16 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u17 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u18 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u19 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u20 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u21 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u22 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u23 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u24 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u25 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u26 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u27 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u28 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u29 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue u30 bandwidth 16Kb hfsc ( upperlimit 128Kb red )
queue uother bandwidth 32Kb hfsc ( default upperlimit 128Kb )
altq on $int_if hfsc bandwidth 2Mb queue{ c1, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11, c12, c13, c14, c15, c16, c17, c18, c19, c20, c21, c22, c23, c24, c25, c26, c27, c28, c29, c30, other }
queue c1 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c2 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c3 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c4 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c5 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c6 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c7 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c8 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c9 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c10 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c11 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c12 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c13 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c14 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c15 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c16 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c17 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c18 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c19 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c20 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c21 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c22 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c23 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c24 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c25 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c26 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c27 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c28 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c29 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue c30 bandwidth 64Kb hfsc( upperlimit 512Kb red )
queue other bandwidth 80Kb hfsc( default upperlimit 128Kb)
nat on $ext_if from $int_if:network to any -> ($ext_if)
block all
block quick inet6 all
pass quick on lo0 all
antispoof for $ext_if
pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh flags S/SA keep state
pass in quick on $int_if inet from 192.168.1.2 to any keep state tag 192.168.1.2 queue c1
pass out quick on $ext_if inet all keep state tagged 192.168.1.2 queue u1
pass in quick on $int_if inet from 192.168.1.3 to any keep state tag 192.168.1.3 queue c2
pass out quick on $ext_if inet all keep state tagged 192.168.1.3 queue u2
pass in quick on $int_if inet from 192.168.1.4 to any keep state tag 192.168.1.4 queue c3
pass out quick on $ext_if inet all keep state tagged 192.168.1.4 queue u3
pass in quick on $int_if inet from 192.168.1.5 to any keep state tag 192.168.1.5 queue c4
pass out quick on $ext_if inet all keep state tagged 192.168.1.5 queue u4
pass in quick on $int_if inet from 192.168.1.6 to any keep state tag 192.168.1.6 queue c5
pass out quick on $ext_if inet all keep state tagged 192.168.1.6 queue u5
pass in quick on $int_if inet from 192.168.1.7 to any keep state tag 192.168.1.7 queue c6
pass out quick on $ext_if inet all keep state tagged 192.168.1.7 queue u6
pass in quick on $int_if inet from 192.168.1.8 to any keep state tag 192.168.1.8 queue c7
pass out quick on $ext_if inet all keep state tagged 192.168.1.8 queue u7
pass in quick on $int_if inet from 192.168.1.9 to any keep state tag 192.168.1.9 queue c8
pass out quick on $ext_if inet all keep state tagged 192.168.1.9 queue u8
pass in quick on $int_if inet from 192.168.1.10 to any keep state tag 192.168.1.10 queue c9
pass out quick on $ext_if inet all keep state tagged 192.168.1.10 queue u9
pass in quick on $int_if inet from 192.168.1.11 to any keep state tag 192.168.1.11 queue c10
pass out quick on $ext_if inet all keep state tagged 192.168.1.11 queue u10
pass in quick on $int_if inet from 192.168.1.12 to any keep state tag 192.168.1.12 queue c11
pass out quick on $ext_if inet all keep state tagged 192.168.1.12 queue u11
pass in quick on $int_if inet from 192.168.1.13 to any keep state tag 192.168.1.13 queue c12
pass out quick on $ext_if inet all keep state tagged 192.168.1.13 queue u12
pass in quick on $int_if inet from 192.168.1.14 to any keep state tag 192.168.1.14 queue c13
pass out quick on $ext_if inet all keep state tagged 192.168.1.14 queue u13
pass in quick on $int_if inet from 192.168.1.18 to any keep state tag 192.168.1.18 queue c14
pass out quick on $ext_if inet all keep state tagged 192.168.1.18 queue u14
pass in quick on $int_if inet from 192.168.1.19 to any keep state tag 192.168.1.19 queue c15
pass out quick on $ext_if inet all keep state tagged 192.168.1.19 queue u15
pass in quick on $int_if inet from 192.168.1.20 to any keep state tag 192.168.1.20 queue c16
pass out quick on $ext_if inet all keep state tagged 192.168.1.20 queue u16
pass in quick on $int_if inet from 192.168.1.21 to any keep state tag 192.168.1.21 queue c17
pass out quick on $ext_if inet all keep state tagged 192.168.1.21 queue u17
pass in quick on $int_if inet from 192.168.1.22 to any keep state tag 192.168.1.22 queue c18
pass out quick on $ext_if inet all keep state tagged 192.168.1.22 queue u18
pass in quick on $int_if inet from 192.168.1.23 to any keep state tag 192.168.1.23 queue c19
pass out quick on $ext_if inet all keep state tagged 192.168.1.23 queue u19
pass in quick on $int_if inet from 192.168.1.24 to any keep state tag 192.168.1.24 queue c20
pass out quick on $ext_if inet all keep state tagged 192.168.1.24 queue u20
pass in quick on $int_if inet from 192.168.1.25 to any keep state tag 192.168.1.25 queue c21
pass out quick on $ext_if inet all keep state tagged 192.168.1.25 queue u21
pass in quick on $int_if inet from 192.168.1.26 to any keep state tag 192.168.1.26 queue c22
pass out quick on $ext_if inet all keep state tagged 192.168.1.26 queue u22
pass in quick on $int_if inet from 192.168.1.27 to any keep state tag 192.168.1.27 queue c23
pass out quick on $ext_if inet all keep state tagged 192.168.1.27 queue u23
pass in quick on $int_if inet from 192.168.1.28 to any keep state tag 192.168.1.28 queue c24
pass out quick on $ext_if inet all keep state tagged 192.168.1.28 queue u24
pass in quick on $int_if inet from 192.168.1.29 to any keep state tag 192.168.1.29 queue c25
pass out quick on $ext_if inet all keep state tagged 192.168.1.29 queue u25
pass in quick on $int_if inet from 192.168.1.30 to any keep state tag 192.168.1.30 queue c26
pass out quick on $ext_if inet all keep state tagged 192.168.1.30 queue u26

复制代码

文库|博客

llzqq

广告杀手

论坛徽章:: 0

2楼 [报告]

发表于 2006-05-13 18:59 |只看该作者

这个在PF上配置，总显得比较繁琐。

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

rainren

家境小康

论坛徽章:: 0

3楼 [报告]

发表于 2006-05-14 01:33 |只看该作者

pf.conf 不能在自动生成一些相似行！ iptables规则可shell编程。

yewei1012

白手起家

论坛徽章:: 0

4楼 [报告]

发表于 2006-05-15 23:26 |只看该作者

pf规则算很灵活了。
另外，做nat的话，ipfw/natd 跟pf没得比。

mafa mafa 当前离线禁止访问好友博客消息论坛徽章: 0	5楼 [报告] 发表于 2006-05-16 16:50 \|只看该作者提示: 作者被禁止或删除内容自动屏蔽
mafa mafa 当前离线禁止访问好友博客消息论坛徽章: 0	实战分享：从技术角度谈机器学习入门\| 【大话IT】RadonDB低门槛向MySQL集群下战书 \| ChinaUnix打赏功能已上线！ \| 新一代分布式关系型数据库RadonDB知多少？

像把刀子

家境小康

论坛徽章:: 0

6楼 [报告]

发表于 2006-05-16 17:56 |只看该作者

老大
iptables可以控制mac地址来限制上网需求不？

ioerr

家境小康

论坛徽章:: 0

7楼 [报告]

发表于 2008-09-09 15:36 |只看该作者

回复 #1 rainren 的帖子

这个pf太那个了吧，好麻烦啊，要是能按照地址列表限速就舒服些了

sjfff99

白手起家

论坛徽章:: 0

8楼 [报告]

发表于 2009-03-26 19:24 |只看该作者

是不是太麻烦了.要是带个300台机子.
那得写多少规则.

kisswen

小富即安

论坛徽章:: 2

9楼 [报告]

发表于 2009-03-26 20:16 |只看该作者

可以用table吗

sjfff99

白手起家

论坛徽章:: 0

10楼 [报告]

发表于 2009-03-26 20:59 |只看该作者

PF

有写好的或教程吗///
QQ:358340779

返回列表

Chinaunix › 论坛 › 操作系统 › BSD › OpenBSD PF 单个IP限速

mafa mafa 当前离线禁止访问好友博客消息论坛徽章: 0	5楼 [报告] 发表于 2006-05-16 16:50 \|只看该作者提示: 作者被禁止或删除内容自动屏蔽
mafa mafa 当前离线禁止访问好友博客消息论坛徽章: 0	实战分享：从技术角度谈机器学习入门\| 【大话IT】RadonDB低门槛向MySQL集群下战书 \| ChinaUnix打赏功能已上线！ \| 新一代分布式关系型数据库RadonDB知多少？

[OpenBSD] OpenBSD PF 单个IP限速 [复制链接]

回复 #1 rainren 的帖子

PF

浏览过的版块